https://bugzilla.kernel.org/show_bug.cgi?id=199977 --- Comment #2 from Wen Xu (wen.xu@xxxxxxxxxx) --- (In reply to Theodore Tso from comment #1) > This replicates on v4.17, but it doesn't replicate with the tip of ext4.git > tree (which was pulled by Linus during the post 4.17 merge window). > > Still TBD which of the patches fixes this particular POC replication. Hi Ted, In fact I reproduce with latest ext4 dev branch while fuzzing with Linus' branch. The last commit of the ext4.git branch I use to reproduce is commit 4f2f76f751433908364ccff82f437a57d0e6e9b7 Author: Jan Kara <jack@xxxxxxx> Date: Fri May 25 12:51:25 2018 -0400 ext4: fix fencepost error in check for inode count overflow during resize ext4_resize_fs() has an off-by-one bug when checking whether growing of a filesystem will not overflow inode count. As a result it allows a filesystem with 8192 inodes per group to grow to 64TB which overflows inode count to 0 and makes filesystem unusable. Fix it. Cc: stable@xxxxxxxxxxxxxxx Fixes: 3f8a6411fbada1fa482276591e037f3b1adcf55b Reported-by: Jaco Kroon <jaco@xxxxxxxxx> Signed-off-by: Jan Kara <jack@xxxxxxx> Signed-off-by: Theodore Ts'o <tytso@xxxxxxx> Reviewed-by: Andreas Dilger <adilger@xxxxxxxxx> And I can still get the following information with POC: [ 159.253263] EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) [ 160.963191] ================================================================== [ 160.964784] BUG: KASAN: slab-out-of-bounds in ext4_xattr_list_entries+0x120/0x190 [ 160.966274] Read of size 4 at addr ffff8801e33d3080 by task a.out/1348 [ 160.967882] CPU: 0 PID: 1348 Comm: a.out Not tainted 4.17.0-rc4+ #5 [ 160.967886] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 160.967889] Call Trace: [ 160.967901] dump_stack+0x7b/0xb5 [ 160.967913] print_address_description+0x70/0x290 [ 160.967919] kasan_report+0x291/0x390 [ 160.967926] ? ext4_xattr_list_entries+0x120/0x190 [ 160.967933] __asan_load4+0x78/0x80 [ 160.967940] ext4_xattr_list_entries+0x120/0x190 [ 160.967947] ext4_listxattr+0x32e/0x5f0 [ 160.967955] ? ext4_xattr_get+0x4d0/0x4d0 [ 160.967961] ? __kmalloc_node+0x11e/0x2e0 [ 160.967967] ? ext4_xattr_get+0x4d0/0x4d0 [ 160.967975] vfs_listxattr+0x9d/0xc0 [ 160.967981] listxattr+0x58/0xd0 [ 160.967988] path_listxattr+0xb9/0x120 [ 160.967994] ? listxattr+0xd0/0xd0 [ 160.968002] ? vm_brk+0x20/0x20 [ 160.968009] __x64_sys_listxattr+0x48/0x50 [ 160.968017] do_syscall_64+0x78/0x170 [ 160.968027] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 160.968031] RIP: 0033:0x7ff483fe20d7 [ 160.968035] RSP: 002b:00007ffd3a2bc418 EFLAGS: 00000206 ORIG_RAX: 00000000000000c2 [ 160.968041] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff483fe20d7 [ 160.968044] RDX: 0000000000000071 RSI: 00007ffd3a2bc440 RDI: 0000000000af7080 [ 160.968047] RBP: 00007ffd3a2bc4c0 R08: 0000000000af7010 R09: 0000000000000000 [ 160.968050] R10: 00000000000001ab R11: 0000000000000206 R12: 0000000000400550 [ 160.968053] R13: 00007ffd3a2bc5c0 R14: 0000000000000000 R15: 0000000000000000 [ 160.968377] Allocated by task 0: [ 160.969027] (stack is not available) [ 160.970057] Freed by task 0: [ 160.970650] (stack is not available) [ 160.971681] The buggy address belongs to the object at ffff8801e33d3080 which belongs to the cache pid(250:lvm2-lvmetad.service) of size 64 [ 160.974417] The buggy address is located 0 bytes inside of 64-byte region [ffff8801e33d3080, ffff8801e33d30c0) [ 160.976653] The buggy address belongs to the page: [ 160.977605] page:ffffea00078cf4c0 count:1 mapcount:0 mapping:0000000000000000 index:0xffff8801e33d3000 [ 160.979440] flags: 0x2ffff0000000100(slab) [ 160.980260] raw: 02ffff0000000100 0000000000000000 ffff8801e33d3000 000000018020001f [ 160.981780] raw: dead000000000100 dead000000000200 ffff8801e0c2da40 ffff8801f3c7bb80 [ 160.983305] page dumped because: kasan: bad access detected [ 160.984406] page->mem_cgroup:ffff8801f3c7bb80 [ 160.985584] Memory state around the buggy address: [ 160.989718] ffff8801e33d2f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 160.991161] ffff8801e33d3000: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc [ 160.992579] >ffff8801e33d3080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 160.993997] ^ [ 160.994660] ffff8801e33d3100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 160.996073] ffff8801e33d3180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 160.997486] ================================================================== [ 160.998913] Disabling lock debugging due to kernel taint The POC is simplified. I do not know whether use my original POC can help to reproduce but I attached. -- You are receiving this mail because: You are watching the assignee of the bug.
